Hi Darrel,
Comments below
On Thu, Nov 13, 2008 at 9:30 PM, Darrel Lewis (darlewis) <darlewis@xxxxxxxxx> wrote:
Comments below inline with DL>NAT66 is in fact a security requirement in many applications and in others it is a compliance requirement. Stampy feet protests that the idea is profane don't change those facts.NAT is not and never was a security feature, it was a way to use fewer numbers because they were hard to get. Please stop the falacy that NAT in any way is related to security, otherwise we would not need firewalls.DL> Port/Overload NAT for IPv4 (NAT:P) has security benefits in that it requires explicit configuration to allow for inbound unsolicited transport connections (via port forwarding) to 'inside' hosts. This mimics many of the default policies on most firewalls, hence the confusion. Note that can also cause security issues elsewhere in the network. The loss of information of the identity of the source host can cause address filtering in the network to effect other devices than just the one intended.
If you are keeping the source IP address the full length of the session, then there is no problem of loosing hte identiy of the source host, thus there should be no problem with address filtering - this is the point of not breaking the end-to-end connectivity that is built into v6. This has nothing to do with ports, so that requirement is not relevant as far as I can see.
DL> I'm wondering if this is written down somewhere, because both of the above points seem to be argued over and over again, without people being genererally educated about them.I know that there are some people in the security area who claim otherwise but they have been wrong on many issues in the past and they are likely wrong on this one. Let us consider for a minute the list of real world security measures that the IETF has successfully deployed, well there is DKIM (sort of) and there is the post-facto cleanup of SSL after it was successful and the post facto cleanup of X.509 after that was successful. IPSEC is used as a VPN solution despite being unsuited for the role as originally designed.On the negative side the same consensus that opposes NAT66 has in the past opposed firewalls, the single most widely used network security control. It has also promoted the idea of algorithm proliferation and negotiation as a good thing (these days we consider it bad). It has promoted the idea that the most important feature in a security protocol is that it be absolutely secure against theoretical attacks rather than easy enough to deploy and use that people actually use it.This is not quite true, the ones who have been argueing against it have constantly asked why we need it. But we still do not know why we need NAT, no one has done the gap analysis.DL> I would argue that stateless filtering (e.g. access control lists) are even more common than firewalls and are the single most widely used network security control. But the main point is that firewalls ( statefull (flow based) filtering that usually have default policies), are orthogonal to address translation. They just happen to occur at the same point in the topology in many networks.DL> But I think Eric you have a good point about documenting the relationship between a privately addressed IPv4 site and a publicly addresses IPv6 site. We should publicly document the differences, it would likely make or break the case for NAT66.
Darrel, this is exactly my point. I do not want to predujice the final solution, but until we know what we want to fix just throwing NAT at it is not good enough. If there is a real need that requires some or all of the old NAT44 then I will suppor it - but I want to know why we need it over anyother solution first.
Eric
_______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf